[RADIATOR] Radiator Version 4.23 released - security fixes, new features, enhancements and bug fixes

l.m.c.haverkotte at utwente.nl l.m.c.haverkotte at utwente.nl
Thu Apr 11 08:06:30 UTC 2019 

Hello Heiki,

Some nice improvements and fixes. I’ve just installed this version on our test environment and i’m seeing some strange behaviour/errors on a configuration that runs fine with 4.22-2.

On performaning proxied mschapv2 authentication (with both TTLS and PEAP) radiator logs the following after receiving an ‘Access-Accept’ from the backend servers:

Thu Apr 11 09:56:37 2019 137963: ERR: Could not handle an EAP request: Can't locate object method "getOriginaluserNameString" via package "Radius::Radius" at /opt/radiator/radiator/Radius/Util.pm line 88.

Similarly, TTLS-PAP authentication logs the following:

Thu Apr 11 10:00:48 2019 916527: DEBUG: Handling with EAP: code 2, 8, 87, 21
Thu Apr 11 10:00:48 2019 916961: DEBUG: Response type 21
Thu Apr 11 10:00:48 2019 917282: INFO: EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?
Thu Apr 11 10:00:48 2019 917746: DEBUG: EAP Failure, elapsed time 0.000003
Thu Apr 11 10:00:48 2019 918140: DEBUG: EAP result: 1, EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?
Thu Apr 11 10:00:48 2019 918586: DEBUG: AuthBy FILE result: REJECT, EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?
Thu Apr 11 10:00:48 2019 919201: INFO: Access rejected for anonymous at utwente.nl: EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?
Thu Apr 11 10:00:48 2019 920957: DEBUG: EAP Failure, elapsed time 0.000003

Seing that the test environment is a single instance of radiator and the NAS is actually just a single FreeRADIUS eapol_test script the error seems unlikely.

Installation is based on the new radiator_4.23-1_all.deb package.

Kind regards,

Leon Haverkotte | Network engineer | University of Twente | Library, ICT Services & Archive (LISA) / ITO | Campus building Spiegel, room 226 | T: +31 (0)53 - 489 3016 | l.m.c.haverkotte at utwente.nl | www.utwente.nl/lisa



> On 10 Apr 2019, at 18:02, Heikki Vatiainen <hvn at open.com.au> wrote:
> 
> We are pleased to announce the release of Radiator version 4.23
> 
> This version contains security fixes for EAP-pwd authentication and certain TLS configurations. Other changes include new features, enhancements and bug fixes. See below for the details.
> 
> As usual, the new version is available to current licensees
> and evaluators from:
> https://www.open.com.au/radiator/downloads.html
> 
> Licensees with expired access contracts can renew at:
> https://www.open.com.au/renewal.html
> 
> An extract from the history file
> https://www.open.com.au/radiator/history.html is below:
> 
> -----------------------------
> 
> Revision 4.23 (2019-04-10) security fixes, new features, enhancements and bug fixes
> 
> 
>    Selected compatibility notes, enhancements and fixes
> 
> Improved AcctLogFILE to support JSON.
> 
> Security fixes for EAP-pwd authentication and certain TLS configurations. OSC recommends all users to
> review OSC security advisory OSC-SEC-2019-01
> https://www.open.com.au/OSC-SEC-2019-01.html
> 
> 
>      Known caveats and other notes
> 
> TLSv1.3 is not enabled by default for TLS based EAP methods.
> 
> TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.
> 
> 
>      Detailed changes
> 
> Fixed EAP-pwd implementation security bugs reported by Mathy Vanhoef.
> 
> Added an example of using SupplementaryGroups option in systemd goodies files radiator.service and radiator at .service. This parameter is typically used with AuthBy NTLM to grant access to winbindd socket.
> 
> Added support for experimental parameters EAPTLS_CRLCheckUseDeltas and TLS_CRLCheckUseDeltas. These enable Delta Certificate Revocation list support for TLS based EAP and Stream classes, such as EAP-TLS and RadSec. Added test CLRs to Radiator demo ceritificates. See Radiator reference manual for the details.
> 
> Fixed a crash in EAP-TLS and TLS based Stream classes, such as RadSec, when Radiator tried to log information about a certificate during specially configured verification. Certificate is not made available by TLS library in all verification failure cases. Reported by Stefan Winter.
> 
> AuthGeneric.pm updates: MSCHAPv2 was incorrectly logged as misspelled when checking AuthenProto configuration parameter. Addressed a number of Perl::Critic reports.
> 
> AuthBy RADIUSBYATTR HostParamDef now accepts 0 as a possible default value.
> 
> Update test.pl to clean up temporary files after finishing.
> 
> DiaClient inheritance was updated to allow better log message control. Updated diapwtst respectively. Addressed a number of DiaClient related Perl::Critic reports.
> 
> Fixed some log messages that did not correctly interpolate variables. Addressed other minor results reported by Perl::Critic.
> 
> Added RAdmin + TOTP configuration sample radmin_totp.cfg in goodies.
> 
> JSON::MaybeXS was mistakenly added as a JSON backend. However it is a wrapper for backends so it is now removed from the list of JSON backends.
> 
> Peer certificate issuer, subject and serial number in decimal and hexdecimal format is now logged on debug level when Radiator verifies peer certificate during EAP-TLS authentication or TLS based stream connection. This information is logged during verify callback when the TLS/SSL library is doing certificate verification. Logging is now done during successful and failing verification. Previously only some certificate information was logged.
> 
> Updated dictionary. Added 6 new VSAs for VENDOR 388 Symbol. For VENDOR 4329 Siemens added Siemens-AP-Mac as a new VSAs and Siemens-Ingress-RC-Name and Siemens-Egress-RC-Name as aliases for Siemens-Ingress-RC and Siemens-Egress-RC.
> 
> LogSYSLOG did not log Trace 5 level messages but printed out warnings about invalid level/facility to STDERR. Reported by Paul Dekkers.
> 
> Requests without User-Name were triggering warnings that were enabled in Radiator 4.21. Reported cases now avoid warnings, and usernames that are empty instead of not defined are now more clearly logged. Similar work enabling more warnings continues and any reports are welcome. Cases now fixed were reported by Paul Dekkers and Roland Rosenfeld.
> 
> When malformed attributes are received, sender IP address and port are now included in the message. Suggested by Paul Dekkers.
> 
> Support configuration parameter AddToRequestIfNotExist added to AuthBy RADIUS, AuthBy RADSEC, and AuthBy DNSROAM.
> 
> Fixed make zipdist and other non-default targets from failing.
> 
> Unit test name cleanup and better separation between tests.
> 
> generate-totp.pl and nthash.pl goodies utilities no longer need Radiator modules. They now require Net::SSLeay and Digest::MD4, respectively.
> 
> diapwtst now searches its parent directory for Radius-modules. This allows diapwtst to be called in similar fashion as radpwtst.
> 
> Updated AuthBy HEIMDALDIGEST to wait longer for kdigest to exit. Old behaviour was causing zombie processes on some systems. Reported by Johan Wassberg.
> 
> Clarified and updated AttrVal.pm API. Notably, add_if_not_exist_attr and change_attr now return 0, as documented, instead of nothing. This return value still evaluates to false but is now defined. Addressed results reported by Perl::Critic.
> 
> Avoid unnecessary log messages and warnings by not probing SCTP API support on windows and completely avoiding harmless use of undefined variables in AuthGeneric.
> 
> Added module Radius::JSON, which is a wrapper for various JSON backends. Module exports encode_json and decode_json from the JSON backend it finds. Last resort is JSON::PP, which should be included Perl versions from 5.14.0.
> 
> Improved AcctLogFILE to support JSON. By default, in addition to trace_id, timestamp, source_host, and type (accounting), all attributes from Accounting-Request are logged. This behaviour can be modified with parameter AcctLogOutputDef.
> 
> Fixed saving uploaded Radiator configuration via ServerHTTP (Web GUI).
> 
> Updates to support and other help texts.
> 
> Add expected result feature for diapwtst. When expected result is set, diapwtst returns 0 (success) even if result was something else. In this way diapwtst can be more useful, for example to periodically test DIAMETER services.
> 
> 
> -- 
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
> EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190411/ffd0bfc0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3518 bytes
Desc: not available
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190411/ffd0bfc0/attachment-0001.p7s>

More information about the radiator mailing list